syssec-utd
diff --git a/‎.gitignore‎
Lines changed: 9 additions & 0 deletions b/‎.gitignore‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎LICENSE.md‎
Lines changed: 28 additions & 0 deletions b/‎LICENSE.md‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 127 additions & 0 deletions b/‎README.md‎
Lines changed: 127 additions & 0 deletions
@@ -0,0 +1,9 @@
+gadget-finder/logs
+.idea
+*__pycache__*
+*.zip
+intrusion-detection-system/graph-based/runs
+intrusion-detection-system/graph-based/images
+intrusion-detection-system/graph-based/logs
+intrusion-detection-system/graph-based/sample-supply-chain-data/
+intrusion-detection-system/sample-supply-chain-data.zip
@@ -0,0 +1,28 @@
+BSD 3-Clause License
+
+Copyright (c) 2023, syssec-utd
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@@ -0,0 +1,127 @@
+# Evading Provenance-Based ML Detectors with Adversarial System Actions
+
+Reproducibility artifacts for the paper _Evading Provenance-Based ML Detectors with Adversarial System Actions_.
+
+## Overview
+
+
+## Folder structure
+
+| Folder | Description|
+| -------|-----------|
+| `gadget-finder`| Folder containing the code and data to execute the gadget-finder algorithms. |
+| `intrusion-detection-system`| Folder containing the code and data files for IDS execution. |
+
+### Environment Setup
+
+We will use `conda` as the python environment manager. Install the project dependencies from the [provng.yml](provng.yml) using this command:
+
+```bash
+conda env update --name provng --file provng.yml
+```
+
+Activate the conda environment before running the experiments by running this command
+
+```bash
+conda activate provng
+```
+
+### Gadget Finder
+
+* [Gadget Finder](gadget-finder/gadget-finder.py)
+  * Finds the possible gadget chains between two programs as identified in [input.csv](gadget-finder/input.csv)
+  * You can check a sample output in [output](gadget-finder/output) directory.
+  
+Running the gadget finder script:
+
+```bash
+python gadget-finder.py -i input.csv -p FrequencyDB/SAMPLE_WINDOWS_FREQUENCY_DB.csv -o output/gadgets.txt
+```
+
+### Path-based IDS
+
+#### SIGL[[1]](#references)
+
+* [sigl](intrusion-detection-system/path-based/sigl.py)
+  * Driver script for SIGL, which is an Autoencoder based IDS that detects anomalous paths.
+  * Sample causal paragraphs and feature vectors for Enterprise APT available in [sample-enterprise-data](intrusion-detection-system/path-based/sample-enterprise-data) directory.
+  
+Running the SIGL script:
+
+```bash
+python sigl.py
+```
+
+#### ProvDetector[[2]](#references)
+
+* [provdetector](intrusion-detection-system/path-based/provdetector.py)
+  * Driver script for ProvDetector, which is an LOF based IDS that detects anomalous paths.
+  * Sample causal paragraphs and feature vectors for Enterprise APT available in [sample-enterprise-data](intrusion-detection-system/path-based/sample-enterprise-data) directory.
+  
+Running the ProvDetector script:
+
+```bash
+python provdetector.py
+```
+
+### Graph-based IDS
+
+#### S-GAT
+
+* [S-GAT](intrusion-detection-system/graph-based/gnnDriver.py)
+  * Driver script for S-GAT, which is an GNN based IDS that detects anomalous graph using graph structure and attributes, e.g., node/edge types.
+  * Run [download_sample_supply_chain_data.sh](intrusion-detection-system/graph-based/download_sample_supply_chain_data.sh) to download and unzip the sample Supply-Chain APT data from [Google Drive](https://drive.google.com/file/d/1Jz0ZuiZlUEZdAgqlnfmpN2_X0Cms6Sl8/view?usp=sharing)
+  * The weighted average F1 score on the provided data with the provided model should be 0.88.
+  
+Running the S-GAT script:
+
+```bash
+python gnnDriver.py gat -if 5 -hf 10 -lr 0.001 -e 20 -n 5 -bs 128 -bi -s
+```
+
+#### Prov-GAT
+
+* [Prov-GAT](intrusion-detection-system/graph-based/gnnDriver.py)
+  * Driver script for Prov-GAT, which is an GNN based IDS that detects anomalous graph using node and edge attributes on top of features used by S-GAT feature.
+  * Run [download_sample_supply_chain_data.sh](intrusion-detection-system/graph-based/download_sample_supply_chain_data.sh) to download and unzip the sample Supply-Chain APT data from [Google Drive](https://drive.google.com/file/d/1Jz0ZuiZlUEZdAgqlnfmpN2_X0Cms6Sl8/view?usp=sharing)
+  * The weighted average F1 score on the provided data with the provided model should be 0.95.
+
+Running the Prov-GAT script:
+
+```bash
+python gnnDriver.py gat -if 768 -hf 10 -lr 0.001 -e 20 -n 5 -bs 128 -bi
+```
+
+#### ProvNinja Graph
+
+* [ProvNinja-Graph](intrusion-detection-system/graph-based/provninjaGraph.py)
+  * Driver script for ProvNinja-Graph which is an adversarial example generator.
+  * Run [download_sample_supply_chain_data.sh](intrusion-detection-system/graph-based/download_sample_supply_chain_data.sh) to download and unzip the sample Supply-Chain APT data from [Google Drive](https://drive.google.com/file/d/1Jz0ZuiZlUEZdAgqlnfmpN2_X0Cms6Sl8/view?usp=sharing)
+  * Output will be in directory [adversarial_examples](intrusion-detection-system/graph-based/adversarial_examples).
+  * The evasion rate should be approximately 168 / 198 true positives for the provided data with the provided models.
+
+Running the ProvNinja-Graph script:
+
+```bash
+python provninjaGraph.py
+```
+
+## Citing us
+
+```
+@inproceedings{mukherjee2023sec,
+	title        = {Evading Provenance-Based ML Detectors with Adversarial System Actions},
+	author       = {Kunal Mukherjee and Josh Wiedemeier and Tianhao Wang and James Wei and Feng Chen and Muhyun Kim and Murat Kantarcioglu and Kangkook Jee},
+	year         = 2023,
+	booktitle    = {Proceedings of USENIX Security Symposium (SEC)},
+	series       = {USENIX '23}
+}
+```
+
+## References 
+
+[1] X. Han, X. Yu, T. Pasquier, et al., “_Sigl: Securing software installations through deep graph learning_,” in
+USENIX Security Symposium (SEC), 2021. <br>
+[2] Q. Wang, W. U. Hassan, D. Li, et al., “_You Are What
+You Do: Hunting Stealthy Malware via Data Provenance Analysis_,” in Network and Distributed System
+Security Symposium (NDSS), Feb. 2020. <br>